keycloak(metis): seed node intranet ips in vault
This commit is contained in:
Codex
parent
84934a6d1c
commit
0171ffad38
@ -1,11 +1,11 @@
|
||||
# services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml
|
||||
# One-off job for sso/metis-node-passwords-secret-ensure-3.
|
||||
# Purpose: ensure per-node Metis recovery password placeholders exist in Vault.
|
||||
# Atlas/root values are preserved while legacy password keys are removed.
|
||||
# One-off job for sso/metis-node-passwords-secret-ensure-4.
|
||||
# Purpose: ensure per-node Metis recovery placeholders exist in Vault.
|
||||
# Atlas/root values are preserved while intranet IPs are standardized per node.
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: metis-node-passwords-secret-ensure-3
|
||||
name: metis-node-passwords-secret-ensure-4
|
||||
namespace: sso
|
||||
spec:
|
||||
backoffLimit: 0
|
||||
@ -47,35 +47,12 @@ spec:
|
||||
exit 1
|
||||
fi
|
||||
|
||||
nodes="
|
||||
titan-04
|
||||
titan-05
|
||||
titan-06
|
||||
titan-07
|
||||
titan-08
|
||||
titan-09
|
||||
titan-0a
|
||||
titan-0b
|
||||
titan-0c
|
||||
titan-10
|
||||
titan-11
|
||||
titan-12
|
||||
titan-13
|
||||
titan-14
|
||||
titan-15
|
||||
titan-16
|
||||
titan-17
|
||||
titan-18
|
||||
titan-19
|
||||
titan-20
|
||||
titan-21
|
||||
titan-22
|
||||
titan-23
|
||||
titan-24
|
||||
"
|
||||
|
||||
ensured=0
|
||||
for node in ${nodes}; do
|
||||
while read -r node intranet_ip; do
|
||||
if [ -z "${node}" ] || [ -z "${intranet_ip}" ]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
secret_path="kv/data/atlas/nodes/${node}"
|
||||
read_status="$(curl -sS -o /tmp/node-read.json -w "%{http_code}" -H "X-Vault-Token: ${vault_token}" "${vault_addr}/v1/${secret_path}" || true)"
|
||||
if [ "${read_status}" = "200" ]; then
|
||||
@ -90,7 +67,7 @@ spec:
|
||||
exit 1
|
||||
fi
|
||||
|
||||
payload="$(jq -nc --arg atlas_password "${atlas_password}" --arg root_password "${root_password}" '{data:{atlas_password:$atlas_password,root_password:$root_password}}')"
|
||||
payload="$(jq -nc --arg atlas_password "${atlas_password}" --arg root_password "${root_password}" --arg intranet_ip "${intranet_ip}" '{data:{atlas_password:$atlas_password,root_password:$root_password,intranet_ip:$intranet_ip}}')"
|
||||
|
||||
write_status="$(curl -sS -o /tmp/node-write.json -w "%{http_code}" -X POST -H "X-Vault-Token: ${vault_token}" -H 'Content-Type: application/json' -d "${payload}" "${vault_addr}/v1/${secret_path}")"
|
||||
if [ "${write_status}" != "200" ] && [ "${write_status}" != "204" ]; then
|
||||
@ -100,7 +77,34 @@ spec:
|
||||
fi
|
||||
|
||||
ensured=$((ensured + 1))
|
||||
echo "Ensured node secret placeholder for ${node}"
|
||||
done
|
||||
echo "Ensured node secret placeholder for ${node} (${intranet_ip})"
|
||||
done <<'EOF_NODES'
|
||||
titan-jh 192.168.22.8
|
||||
titan-db 192.168.22.10
|
||||
titan-0a 192.168.22.11
|
||||
titan-0b 192.168.22.12
|
||||
titan-0c 192.168.22.13
|
||||
titan-20 192.168.22.20
|
||||
titan-21 192.168.22.21
|
||||
titan-22 192.168.22.22
|
||||
titan-23 192.168.22.23
|
||||
titan-24 192.168.22.26
|
||||
titan-04 192.168.22.30
|
||||
titan-05 192.168.22.31
|
||||
titan-06 192.168.22.32
|
||||
titan-07 192.168.22.33
|
||||
titan-08 192.168.22.34
|
||||
titan-09 192.168.22.35
|
||||
titan-10 192.168.22.36
|
||||
titan-11 192.168.22.37
|
||||
titan-12 192.168.22.40
|
||||
titan-13 192.168.22.41
|
||||
titan-14 192.168.22.42
|
||||
titan-15 192.168.22.43
|
||||
titan-16 192.168.22.44
|
||||
titan-17 192.168.22.45
|
||||
titan-18 192.168.22.46
|
||||
titan-19 192.168.22.47
|
||||
EOF_NODES
|
||||
|
||||
echo "Ensured ${ensured} Metis node password placeholders in Vault"
|
||||
echo "Ensured ${ensured} Metis node placeholders in Vault"
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user